Blogs
The latest cybersecurity trends, best practices, security vulnerabilities, and more
The Bug Report - August 2024 Edition
By Jonathan Omakun · August 26, 2024
Why am I Here
August isn’t just about heat waves and summer getaways for the Northern Hemisphere; it’s also when things get serious for students and cybersecurity pros. As organizations prep for the end of the fiscal year, upgrade systems, and ramp up for the fall, attackers are doing their homework. They’re ready to exploit any vulnerabilities left unpatched during the summer lull. So, while you’re buying new notebooks, make sure you’re also patching those systems. It’s time to sharpen your pencils and your defenses, because class is in session.
- CVE-2024-7593: Ivanti Virtual Traffic Manager (vTM)
- CVE-2024-6768: Microsoft Windows Common Log File System
- CVE-2024-38856: Apache OFBiz
- CVE-2024-38063: Microsoft Windows TCP/IP
- CVE-2024-38178: Microsoft Windows Scripting Engine
- CVE-2018-0824: Microsoft COM for Windows
- CVE-2024-28986: SolarWinds Web Help Desk
Let’s dive into these vulnerabilities and see what lessons we can learn before the final bell rings.
CVE-2024-7593: Ivanti Virtual Traffic Manager (vTM) – The Gatekeeper Who Forgot the Key
What is it?
Imagine the gatekeeper to a mighty fortress suddenly misplacing their key, leaving the doors wide open for anyone to stroll in. That’s essentially what’s happening with CVE-2024-7593 in Ivanti’s Virtual Traffic Manager (vTM). This vulnerability is like a bouncer who forgets to check IDs—attackers can bypass the admin panel's security, creating new admin users without needing to flash any credentials. With admin access, they can control your traffic flow, mess with system configurations, and, just like that, they’re running the show.
The vulnerability arises from a flawed authentication algorithm. Think of it as a combination lock that opens no matter what numbers you spin. What makes this even scarier is that there’s already a Proof of Concept (PoC) floating around, meaning it’s just a matter of time before the wrong people start playing with it. The PoC demonstrates how an attacker can exploit this vulnerability to create a new administrative user without needing valid credentials. Here’s a breakdown of how it works:
- Bypassing Access Control: The PoC leverages a flaw in the wizard.fcgi script, a component of the web interface for Ivanti vTM. By setting the error parameter to 1, the script bypasses the usual access control mechanisms, giving the attacker unauthorized access to sensitive sections of the admin panel, specifically the "Access Management: LocalUsers" section. This is like convincing the bouncer that you’re the club owner, and suddenly, all doors are open.
# Setting 'error' bypasses access control for wizard.fcgi.
params = { 'error': 1, 'section': 'Access Management:LocalUsers' }
- Creation of New Admin User: Once inside, the PoC script sends a POST request to the vTM admin portal targeting the wizard.fcgi script. It includes parameters that trigger the creation of a new user with administrative privileges. By specifying the create_user parameter, the attacker ensures the new account is added to the admin group. This is like walking into the control room of a starship and immediately promoting yourself to captain.
- CSRF Protection Bypass: The PoC also bypasses Cross-Site Request Forgery (CSRF) protections by using the _form_submitted parameter, which effectively disables the checks that would normally prevent unauthorized form submissions. It’s like slipping past the tripwire security system by carrying a badge that shouldn’t exist.
- Post-Exploitation Actions: After the new admin user is created, the attacker can log in using the credentials specified in the PoC (newadmin and newadmin1234). From here, the attacker has full administrative access to the vTM environment, allowing them to modify system settings, access sensitive data, and potentially escalate privileges across the network.
# Create new user request
data = { '_form_submitted' 'form',
'create_user': 'Create',
'group': 'admin',
'newusername': new_admin_name,
'password1': new_admin_password,
'password2': new_admin_password }
# View response
content = r.content.decode('utf-8')
print(content)
if r.status_code == 200 and '<title>2<' in content:
print("New user request sent")
print("Login with username '" + new_admin_name + "' and password '" + new_admin_password + "'")
else:
print("Unable to create new user")
Who Cares?
If you’re using Ivanti vTM, this is your wake-up call. Attackers with admin access can do pretty much anything they want in your environment, turning your traffic manager into their personal playground. The PoC is out there, so don’t wait until you’re under siege—act now.
What Can I Do?
Ivanti has dropped patches in versions 22.2R1 and 22.7R2. Installing these updates is like changing the locks on your doors. Also, restrict access to the management interface by keeping it behind the safety of your internal network—no need to leave the keys under the mat for anyone to find.
Trellix Customers: Trellix Intrusion Prevention System (IPS) provides coverage for this vulnerability. Ensure you have enabled the HTTP Response option and your solution is updated to the latest version/signature set.
CVE-2024-6768: Microsoft Windows Common Log File System – The BSoD Maestro
What is it?
CVE-2024-6768 is like a maestro conducting an unwanted symphony of chaos in your Windows system. Picture this: one moment, everything’s running smoothly, and the next, your screen goes blue—cue the Blue Screen of Death (BSOD). This bug lives in the Microsoft Windows Common Log File System (CLFS.sys), where improper input data validation is the root cause. Imagine a poorly planned concert where one out-of-tune note sends the whole orchestra crashing down—that’s what happens when this vulnerability is exploited.
Attackers can trigger this crash by feeding the system malicious input, causing the CLFS.sys driver to panic and call it quits, leading to a system crash. It’s not just a one-time show either; repeated crashes can disrupt your operations and even lead to data loss, making this bug a conductor of chaos in your IT environment. While Microsoft has downplayed the severity of this vulnerability, citing that it requires existing code execution capabilities and does not grant elevated permissions, the potential for disruption is still significant. Let's dive deeper into the mechanics of this vulnerability and examine how it can be exploited.
A publicly available PoC centers around a crafted .BLF file, specifically designed to exploit a weakness in how the CLFS.sys driver handles input data. The Common Log File System (CLFS) driver processes .BLF files, which are log files used by the system. The vulnerability is triggered by manipulating specific values within the _CLFS_CLIENT_CONTEXT structure of these files. In the provided PoC, the critical value 0xffffffff00ff01 is placed at offset 0x1c10 within the .BLF file.
CLFS Client Context Manipulation: The crafted value is strategically placed within the _CLFS_CLIENT_CONTEXT structure, specifically at offset 0x38. This value is then copied during the execution of the CClfsLogFcbPhysical::Initialize function into the CClfsLogFcbPhysical structure at offset 0x538. This manipulation sets the stage for triggering the vulnerability.
Triggering the Vulnerability: The PoC calls CreateLogFile which in turn uses the crafted value in the UpdateCachedOwnerPage function. The critical moment comes when the system calculates the ulloffset from the crafted value, which results in 0xFFFFFFFF00000000. This calculated offset is then compared within a loop. If the system finds that the value is not what it expects during this comparison, it triggers an unrecoverable state, leading to a call to KeBugCheck, which causes the BSoD and forces a system restart.
Who Cares?
While Microsoft may not consider this vulnerability "patch-worthy," the reality is that it can still be quite disruptive. The vulnerability might not allow attackers to escalate privileges, but it does provide a means to force system reboots, and we all know what the impact of a BSOD can be…..
Attackers could use this to cover their tracks, crash critical systems, or disrupt business operations at crucial moments. For example, an attacker could use this vulnerability in combination with other exploits to mask malicious activity. A sudden system crash might cause admins to overlook a subtle intrusion, dismissing the incident as a random hardware glitch rather than the result of a coordinated attack.
What Can I Do?
Unfortunately, there is currently no patch available for this vulnerability. Microsoft has stated that the technique requires an attacker to have already gained code execution capabilities on the target machine and does not deem it worthy of a patch. However, that doesn't mean you’re completely defenseless:
- Avoid Running Untrusted Binaries: Educate users and administrators on the importance of not running suspicious binaries, especially those that could exploit this vulnerability.
- Monitor for Unexpected Reboots: Keep a close eye on system logs for any unexpected reboots, as these could indicate an attempt to exploit this vulnerability to cover up other malicious activities.
Trellix Customers: Trellix Endpoint Security System (ENS) identifies the PoC as malware and can help mitigate the risk. Ensure ENS is running and you have enabled the Threat Prevention and Adaptive Threat Prevention modules. Ensure your signature content is up-to-date and the on-access scan is enabled.
CVE-2024-38856: Apache OFBiz – The Magician’s Misleading Trick
What is it?
In enterprise resource planning (ERP), Apache OFBiz is a steadfast performer that delivers as expected. But every magician has a trick up their sleeve, and CVE-2024-38856 is the kind of trick that can leave your system completely duped. This vulnerability is like a clever sleight of hand—where the magician distracts you with one hand while the other hand is pulling off the real trick. In this case, the OFBiz system is fooled into bypassing authentication, allowing attackers to execute code as if they were legitimate users.
This exploit manipulates the request handling process, particularly the overrideViewUri functionality. It’s like convincing the system to look the other way while you access critical endpoints—essentially letting you walk backstage while everyone else is focused on the main act.
Researchers at SonicWall Capture Labs have detailed how attackers could exploit a discrepancy between Apache OFBiz processing of the requestUri and overrideViewUri values. Here’s how the magician’s trick unfolds:
Setting the Stage:
Before any magic happens, the system prepares itself by initializing several variables, including path, requestUri, and overrideViewUri. These variables determine what content gets served to the user. Normally, they should work in harmony, ensuring that only authenticated users can access sensitive pages.
// Initialize key variables from the request
String path = request.getPathInfo();
String requestUri = getRequestUri(path);
String overrideViewUri = getOverrideViewUri(path);
In this setup, the path is the complete URL path requested by the user. The system then splits this path to determine requestUri and overrideViewUri.
Misdirection:
This is where the sleight of hand happens. The attacker sends a carefully crafted request that looks innocent on the surface. They exploit the fact that the system uses different methods to calculate requestUri and overrideViewUri.
public String getRequestUri(String path) {
String[] segments = path.split("/");
return segments[0]; // Returns the first part, e.g., "forgotPassword"
public String getOverrideViewUri(String path) {
String[] segments = path.split("/");
return segments.length > 1 ? segments[1] : null; // Returns the second part, e.g., "ProgramExport"
}
For example, when the attacker sends a request like POST /webtools/control/forgotPassword/ProgramExport, the requestUri is set to forgotPassword, which doesn’t require authentication, while the overrideViewUri is set to ProgramExport, a sensitive endpoint.
The Reveal:
Here’s where the trick comes to fruition. The system performs authentication checks based on requestUri—in this case, forgotPassword, which is a non-authenticated endpoint. Meanwhile, the overrideViewUri directs the system to execute the code associated with ProgramExport. The system is effectively fooled into thinking the request is harmless, when in reality, it’s executing a command that should be protected.
// Security check based on requestUri
if (!isAuthenticated(requestUri))
response.sendError(HttpServletResponse.SC_FORBIDDEN);
return;
}
// Render the page based on overrideViewUri
renderPage(overrideViewUri);
Because requestUri passes the authentication check (since forgotPassword doesn’t require login), the system proceeds to render the view located at overrideViewUri (ProgramExport). This leads to the execution of potentially malicious code without proper authorization.
Here’s an example of how an attacker might craft a request to exploit this vulnerability:
POST /webtools/control/forgotPassword/ProgramExport HTTP/1.1
Host: vulnerable-server.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 0
Who Cares?
Apache OFBiz is used by major organizations to manage critical business processes. A vulnerability like CVE-2024-38856 could have serious implications, allowing unauthorized access to sensitive data or system functions. The trick might be simple, but its consequences are anything but.
What Can I Do?
Don’t let the magician fool you—upgrade to Apache OFBiz version 18.12.15 or newer. Upgrading to this version patches the flaw, restoring the integrity of your ERP system. Keep a close eye on your logs for any signs that someone might be trying to pull off this trick.
CVE-2024-38063: Microsoft Windows TCP/IP – The Ghost in the Network
What is it?
Ever hear stories of ghosts in the machine? CVE-2024-38063 is like the poltergeist of the Windows TCP/IP stack. It’s subtle, it’s sneaky, and when it strikes, you might not even know what hit you. It’s an unpredictable force hidden within the Ipv6pProcessOptions function of the tcpip.sys kernel driver. This spectral bug is triggered by an integer underflow that leads to out-of-bounds memory writes, resulting in sudden system crashes—the dreaded Blue Screen of Death (BSOD). When you think your system is safe, this ghostly presence can strike, causing chaos and disruption without warning.
The ghostly nature of this exploit lies in how it manipulates the system’s memory. The integer underflow creates an incorrect value used in a loop, leading to out-of-bounds writes that crash the system. Researcher Robel Campbell on X demonstrated a Proof of Concept (PoC) showing how this underflow could be triggered, causing a crash. However, the true potential for harm comes from more advanced techniques like heap massaging, where an attacker could corrupt adjacent objects in the heap, leading to more controlled and potentially malicious outcomes.
Another researcher on X delved into the changes made in the patched version of tcpip.sys, revealing that Microsoft addressed the issue by altering how the system handles IPv6 packets. The system could inadvertently process invalidated packets in the unpatched version, leading to vulnerability. The patch corrected this by ensuring that only the current packet is processed, reducing the risk of exploitation.
Triggering this vulnerability requires a flood of IPv6 packets, making it more of a ghostly presence that disrupts rather than destroys. While full Remote Code Execution (RCE) is unlikely due to the complexity of controlling memory offsets during an attack, the vulnerability can still cause significant denial-of-service disruptions, particularly in high-traffic networks.
Who Cares?
If you’re running any version of Windows, you should keep a close eye on this one. The possibility of remote exploitation makes this vulnerability particularly chilling, especially if it’s left unpatched.
What Can I Do?
Microsoft has released patches, so apply them ASAP to send this ghost packing. If your network doesn’t need IPv6, consider disabling it temporarily. But remember, the best way to exorcise this ghost is through proper patching—don’t rely on temporary fixes.
CVE-2024-38178: Microsoft Windows Scripting Engine – The Type Confusion Tango
What is it?
Welcome to the dance floor, where CVE-2024-38178 is leading the Type Confusion Tango. This vulnerability in the Microsoft Scripting Engine is all about missteps and misplaced trust. Type confusion occurs when the script engine mistakenly treats one type of data as another—like trying to tango with someone who’s doing the cha-cha. The result? A messy pile-up that can lead to memory corruption and, worse, remote code execution.
Attackers can exploit this flaw by tricking users into visiting a malicious website. Just one wrong click, and the tango turns into a full-blown disaster, allowing the attacker to execute code on the victim’s machine. If the victim has admin privileges, the attacker could control the entire system—talk about leading the dance.
Who Cares?
Anyone using Windows, particularly those who rely on Edge’s Internet Explorer Mode, should be on guard. This vulnerability is a dance with danger, especially since it’s already being exploited in the wild.
What Can I Do?
Patch, patch, patch! Microsoft’s August Security Updates are your best bet to avoid this dangerous dance. If you don’t need IE Mode, consider disabling it. Also, tighten up your browser’s security settings to keep untrusted scripts off the dance floor.
Trellix Customers: Trellix Intrusion Prevention System (IPS) provides detection for this vulnerability. Ensure you have enabled the HTTP Response option and your solution is updated to the latest version/signature set.
CVE-2018-0824: Microsoft COM for Windows – The Bug That Just Won’t Die
What is it?
Some bugs are like zombies—they just won’t stay dead. CVE-2018-0824 is one of those undead vulnerabilities that keeps coming back to haunt us. Lurking in Microsoft COM for Windows, this vulnerability stems from improper handling of serialized objects. It’s like a zombie that keeps finding new ways to crawl out of its grave, ready to cause havoc.
The 2018 vulnerability CVE-2018-0824 has been added to the Cybersecurity and Infrastructure Security Agency's (CISA) Known Exploited Vulnerabilities (KEV) catalog, signaling its active exploitation in the wild. Users have been given until August 26 to patch or cease using affected Windows systems. This vulnerability doesn’t impact Windows 11 or any other Windows system updated in the last six years.
This vulnerability in Microsoft’s Component Object Model (COM) for Windows arises from improper handling of serialized objects, allowing attackers to execute arbitrary code on a victim’s system. APT41, a well-known advanced persistent threat group, has taken advantage of this flaw by creating a tailored loader to inject a proof of concept directly into memory, achieving local privilege escalation.
A publicly available PoC takes advantage of flaws in how COM handles serialized data. It begins by targeting the CMarshalInterceptor::UnmarshalInterface method, which reads data from an IStream object and compares it against a specific GUID. If the data matches, the exploit moves forward, triggering the CMarshalInterceptor::CreateRecorder function to instantiate a potentially malicious COM object via the IMoniker interface.
Attackers create a fake COM object that tricks the system into executing arbitrary code by manipulating the IMarshal and IStorage interfaces. This process culminates in the IMoniker::BindToObject method, allowing the attacker to elevate privileges and run commands like launching notepad.exe as SYSTEM.
By exploiting this flaw, attackers can trigger dangerous actions within the system, potentially escalating privileges and executing arbitrary code. The persistence of this bug is a stark reminder that even when patches are applied, some vulnerabilities can linger, particularly in systems as complex as COM.
Who Cares?
If you’re running an older version of Windows, even Windows 10, this zombie might be creeping up on you. The fact that it’s been actively exploited makes it a real threat, especially for systems that haven’t been updated.
What Can I Do?
Don’t let this zombie feast on your systems—apply the latest security patches from Microsoft. Keeping your systems updated is the only way to ensure this bug stays dead and buried.
CVE-2024-28986: SolarWinds Web Help Desk – The Deserialization Disaster
What is it?
Imagine you’re opening a seemingly innocent package, only to find a bomb inside. That’s what CVE-2024-28986 does to SolarWinds Web Help Desk (WHD). It’s a deserialization vulnerability, meaning that when the system tries to open and process serialized Java objects, it runs malicious code instead. It’s like discovering that your favorite delivery service has been infiltrated, and now every package could be a ticking time bomb.
This vulnerability allows attackers to send specially crafted serialized objects to the WHD server, executing them as code. The result? Remote code execution, with the attacker potentially gaining full control over the system. And with a CVSS score of 9.8, this bomb is ticking fast.
Who Cares?
If your organization uses SolarWinds WHD, you should be highly alert for this vulnerability. The potential for remote exploitation and the critical nature of the flaw make this a top priority.
What Can I Do?
The only way to defuse this bomb is to upgrade to WHD version 12.8.3 and apply the hotfix. Be mindful of any custom configurations, especially with SAML Single Sign-On, as the current hotfix may not be compatible. Ensure you’ve backed up all critical files before applying the fix—in case something goes wrong.
RECENT NEWS
-
Aug 21, 2024
U.S. Department of Defense Chooses Trellix to Protect Millions of Email Systems from Zero-Day Threats
-
Aug 14, 2024
Magenta Buyer LLC Raises $400 Million of New Capital
-
Aug 1, 2024
Trellix Endpoint Security Stops 100% of Threats in Leading Industry Test
-
Jul 29, 2024
Trellix Named Email Security Innovation Leader
-
Jun 27, 2024
Trellix Named an XDR Market Leader
RECENT STORIES
The latest from our newsroom
Get the latest
We’re no strangers to cybersecurity. But we are a new company.
Stay up to date as we evolve.
Zero spam. Unsubscribe at any time.